CompTIA Network+ Practice Test

What is the primary difference between Transport mode and Tunnel mode in IPsec?

• A. Transport mode encrypts the IP header
• B. Tunnel mode adds a new IP header
• C. Transport mode is used for multicast
• D. Tunnel mode is for unicast only

The correct answer is: Tunnel mode adds a new IP header

The primary difference between Transport mode and Tunnel mode in IPsec lies in how they handle IP packet headers and the overall structure of the packets being transmitted. In Tunnel mode, a new IP header is added to the original IP packet. This encapsulation allows the entire original packet, including both the header and the payload, to be encrypted, providing an additional layer of security. The new outer IP header is necessary for routing the encapsulated packet through the IP network, which can include traversing insecure or untrusted networks. In contrast, Transport mode focuses on encrypting only the payload of the original IP packet while the IP header remains unencrypted. This mode is typically used for end-to-end communications between two hosts when both endpoints are IPsec-enabled, and it does not provide the same level of encapsulation and security for the packet’s header as Tunnel mode. The other options refer to aspects that do not accurately characterize the distinction between Transport and Tunnel modes. For instance, the focus of Transport mode is not on working with multicast traffic, nor is Tunnel mode limited to unicast communication. The essence of Tunnel mode's functionality lies in its ability to wrap the original packet entirely, facilitating secure communication across diverse networking environments.